Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: github issues

 Sponsor

Project: java-sec-code

sec:java-sec-code:1.0.0

Scan Information:

Summary

DependencyVulnerability IDsPackageHighest SeverityCVE CountConfidenceEvidence Count
bcpkix-jdk15on-1.55.jarcpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.55:*:*:*:*:*:*:*pkg:maven/org.bouncycastle/bcpkix-jdk15on@1.55MEDIUM1Low62
bcprov-jdk15on-1.55.jarcpe:2.3:a:bouncycastle:bouncy-castle-crypto-package:1.55:*:*:*:*:*:*:*
cpe:2.3:a:bouncycastle:bouncy_castle_crypto_package:1.55:*:*:*:*:*:*:*
cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.55:*:*:*:*:*:*:*
cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.55:*:*:*:*:*:*:*
cpe:2.3:a:bouncycastle:the_bouncy_castle_crypto_package_for_java:1.55:*:*:*:*:*:*:*
pkg:maven/org.bouncycastle/bcprov-jdk15on@1.55HIGH16Low54
commons-collections-3.1.jarcpe:2.3:a:apache:commons_collections:3.1:*:*:*:*:*:*:*pkg:maven/commons-collections/commons-collections@3.1HIGH1Highest62
commons-httpclient-3.1.jarcpe:2.3:a:apache:commons-httpclient:3.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:httpclient:3.1:*:*:*:*:*:*:*
pkg:maven/commons-httpclient/commons-httpclient@3.1MEDIUM2Highest91
commons-io-2.5.jarcpe:2.3:a:apache:commons_io:2.5:*:*:*:*:*:*:*pkg:maven/commons-io/commons-io@2.5MEDIUM1Highest119
commons-jxpath-1.3.jarcpe:2.3:a:apache:commons_jxpath:1.3:*:*:*:*:*:*:*pkg:maven/commons-jxpath/commons-jxpath@1.3HIGH3Highest58
commons-net-3.6.jarcpe:2.3:a:apache:commons_net:3.6:*:*:*:*:*:*:*pkg:maven/commons-net/commons-net@3.6MEDIUM1Highest97
dom4j-1.6.1.jarcpe:2.3:a:dom4j_project:dom4j:1.6.1:*:*:*:*:*:*:*pkg:maven/dom4j/dom4j@1.6.1CRITICAL3Highest120
dom4j-2.1.0.jarcpe:2.3:a:dom4j_project:dom4j:2.1.0:*:*:*:*:*:*:*pkg:maven/org.dom4j/dom4j@2.1.0CRITICAL3Highest20
fastjson-1.2.24.jarcpe:2.3:a:alibaba:alibaba:1.2.24:*:*:*:*:*:*:*
cpe:2.3:a:alibaba:fastjson:1.2.24:*:*:*:*:*:*:*
pkg:maven/com.alibaba/fastjson@1.2.24CRITICAL2Highest38
fluent-hc-4.3.6.jarcpe:2.3:a:apache:httpclient:4.3.6:*:*:*:*:*:*:*pkg:maven/org.apache.httpcomponents/fluent-hc@4.3.6MEDIUM1Low32
groovy-2.4.7.jarcpe:2.3:a:apache:groovy:2.4.7:*:*:*:*:*:*:*pkg:maven/org.codehaus.groovy/groovy@2.4.7CRITICAL2High275
gson-2.8.0.jarcpe:2.3:a:google:gson:2.8.0:*:*:*:*:*:*:*pkg:maven/com.google.code.gson/gson@2.8.0HIGH1Highest22
guava-23.0.jarcpe:2.3:a:google:guava:23.0:*:*:*:*:*:*:*pkg:maven/com.google.guava/guava@23.0HIGH3Highest22
hibernate-validator-5.3.4.Final.jarcpe:2.3:a:hibernate:hibernate_orm:5.3.4:*:*:*:*:*:*:*
cpe:2.3:a:redhat:hibernate_validator:5.3.4:*:*:*:*:*:*:*
pkg:maven/org.hibernate/hibernate-validator@5.3.4.FinalHIGH5Highest33
httpclient-4.5.12.jarcpe:2.3:a:apache:httpclient:4.5.12:*:*:*:*:*:*:*pkg:maven/org.apache.httpcomponents/httpclient@4.5.12MEDIUM1Highest32
hutool-all-5.8.10.jarcpe:2.3:a:hutool:hutool:5.8.10:*:*:*:*:*:*:*pkg:maven/cn.hutool/hutool-all@5.8.10HIGH5Highest24
jackson-annotations-2.8.0.jarcpe:2.3:a:fasterxml:jackson-modules-java8:2.8.0:*:*:*:*:*:*:*pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.8.0MEDIUM1Low40
jackson-core-2.8.6.jarcpe:2.3:a:fasterxml:jackson-modules-java8:2.8.6:*:*:*:*:*:*:*
cpe:2.3:a:json-java_project:json-java:2.8.6:*:*:*:*:*:*:*
pkg:maven/com.fasterxml.jackson.core/jackson-core@2.8.6HIGH3Low46
jackson-databind-2.8.6.jarcpe:2.3:a:fasterxml:jackson-databind:2.8.6:*:*:*:*:*:*:*
cpe:2.3:a:fasterxml:jackson-modules-java8:2.8.6:*:*:*:*:*:*:*
pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.6CRITICAL57Highest42
jdom2-2.0.6.jarcpe:2.3:a:jdom:jdom:2.0.6:*:*:*:*:*:*:*pkg:maven/org.jdom/jdom2@2.0.6HIGH1Highest65
jettison-1.3.7.jarcpe:2.3:a:jettison_project:jettison:1.3.7:*:*:*:*:*:*:*pkg:maven/org.codehaus.jettison/jettison@1.3.7HIGH5Highest28
jolokia-core-1.6.0.jarcpe:2.3:a:jolokia:jolokia:1.6.0:*:*:*:*:*:*:*pkg:maven/org.jolokia/jolokia-core@1.6.0HIGH1Highest18
json-path-2.2.0.jarcpe:2.3:a:json-java_project:json-java:2.2.0:*:*:*:*:*:*:*pkg:maven/com.jayway.jsonpath/json-path@2.2.0HIGH2Low36
json-smart-2.2.1.jarcpe:2.3:a:json-smart_project:json-smart:2.2.1:*:*:*:*:*:*:*
cpe:2.3:a:json-smart_project:json-smart-v2:2.2.1:*:*:*:*:*:*:*
pkg:maven/net.minidev/json-smart@2.2.1HIGH3Highest39
jsoup-1.10.2.jarcpe:2.3:a:jsoup:jsoup:1.10.2:*:*:*:*:*:*:*pkg:maven/org.jsoup/jsoup@1.10.2HIGH2Highest35
junit-4.12.jarcpe:2.3:a:junit:junit4:4.12:*:*:*:*:*:*:*pkg:maven/junit/junit@4.12MEDIUM1Low49
log4j-api-2.9.1.jarcpe:2.3:a:apache:log4j:2.9.1:*:*:*:*:*:*:*pkg:maven/org.apache.logging.log4j/log4j-api@2.9.1LOW1Highest44
log4j-core-2.9.1.jarcpe:2.3:a:apache:log4j:2.9.1:*:*:*:*:*:*:*pkg:maven/org.apache.logging.log4j/log4j-core@2.9.1CRITICAL5Highest42
logback-core-1.1.9.jarcpe:2.3:a:qos:logback:1.1.9:*:*:*:*:*:*:*pkg:maven/ch.qos.logback/logback-core@1.1.9CRITICAL2Highest33
mybatis-3.4.6.jarcpe:2.3:a:mybatis:mybatis:3.4.6:*:*:*:*:*:*:*pkg:maven/org.mybatis/mybatis@3.4.6CRITICAL2Highest46
mysql-connector-java-8.0.12.jarcpe:2.3:a:mysql:mysql:8.0.12:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_connector\/j:8.0.12:*:*:*:*:*:*:*
pkg:maven/mysql/mysql-connector-java@8.0.12HIGH7Highest44
netty-codec-4.0.27.Final.jarcpe:2.3:a:netty:netty:4.0.27:*:*:*:*:*:*:*pkg:maven/io.netty/netty-codec@4.0.27.FinalCRITICAL16Highest28
netty-handler-4.0.27.Final.jarcpe:2.3:a:netty:netty:4.0.27:*:*:*:*:*:*:*pkg:maven/io.netty/netty-handler@4.0.27.FinalCRITICAL16Highest28
netty-transport-4.0.27.Final.jarcpe:2.3:a:netty:netty:4.0.27:*:*:*:*:*:*:*pkg:maven/io.netty/netty-transport@4.0.27.FinalCRITICAL15Highest26
ognl-3.0.8.jarcpe:2.3:a:ognl_project:ognl:3.0.8:*:*:*:*:*:*:*pkg:maven/ognl/ognl@3.0.8MEDIUM1Highest24
okhttp-2.5.0.jarcpe:2.3:a:squareup:okhttp:2.5.0:*:*:*:*:*:*:*pkg:maven/com.squareup.okhttp/okhttp@2.5.0HIGH3Highest22
okio-1.6.0.jarcpe:2.3:a:squareup:okio:1.6.0:*:*:*:*:*:*:*pkg:maven/com.squareup.okio/okio@1.6.0HIGH1Highest16
poi-3.10-FINAL.jarcpe:2.3:a:apache:poi:3.10:*:*:*:*:*:*:*pkg:maven/org.apache.poi/poi@3.10-FINALHIGH8Highest28
poi-ooxml-3.9.jarcpe:2.3:a:apache:poi:3.9:*:*:*:*:*:*:*pkg:maven/org.apache.poi/poi-ooxml@3.9HIGH8Highest27
postgresql-42.3.1.jarcpe:2.3:a:postgresql:postgresql_jdbc_driver:42.3.1:*:*:*:*:*:*:*pkg:maven/org.postgresql/postgresql@42.3.1CRITICAL4Low71
protobuf-java-2.6.0.jarcpe:2.3:a:google:protobuf-java:2.6.0:*:*:*:*:*:*:*
cpe:2.3:a:protobuf:protobuf:2.6.0:*:*:*:*:*:*:*
pkg:maven/com.google.protobuf/protobuf-java@2.6.0HIGH3Highest28
snakeyaml-1.21.jarcpe:2.3:a:snakeyaml_project:snakeyaml:1.21:*:*:*:*:*:*:*pkg:maven/org.yaml/snakeyaml@1.21CRITICAL8Highest44
spring-boot-1.5.1.RELEASE.jarcpe:2.3:a:vmware:spring_boot:1.5.1:release:*:*:*:*:*:*pkg:maven/org.springframework.boot/spring-boot@1.5.1.RELEASECRITICAL5Highest33
spring-boot-starter-security-2.1.5.RELEASE.jarcpe:2.3:a:vmware:spring_boot:2.1.5:release:*:*:*:*:*:*pkg:maven/org.springframework.boot/spring-boot-starter-security@2.1.5.RELEASECRITICAL3Highest35
spring-boot-starter-thymeleaf-1.5.1.RELEASE.jarcpe:2.3:a:thymeleaf:thymeleaf:1.5.1:release:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_boot:1.5.1:release:*:*:*:*:*:*
pkg:maven/org.springframework.boot/spring-boot-starter-thymeleaf@1.5.1.RELEASECRITICAL6Highest29
spring-boot-starter-web-1.5.1.RELEASE.jarcpe:2.3:a:vmware:spring_boot:1.5.1:release:*:*:*:*:*:*
cpe:2.3:a:web_project:web:1.5.1:release:*:*:*:*:*:*
pkg:maven/org.springframework.boot/spring-boot-starter-web@1.5.1.RELEASECRITICAL6Highest29
spring-cloud-netflix-core-1.2.0.RELEASE.jarcpe:2.3:a:vmware:spring_cloud_netflix:1.2.0:release:*:*:*:*:*:*pkg:maven/org.springframework.cloud/spring-cloud-netflix-core@1.2.0.RELEASEMEDIUM2Highest25
spring-cloud-netflix-eureka-client-1.2.0.RELEASE.jarcpe:2.3:a:vmware:spring_cloud_netflix:1.2.0:release:*:*:*:*:*:*pkg:maven/org.springframework.cloud/spring-cloud-netflix-eureka-client@1.2.0.RELEASEMEDIUM1Highest27
spring-cloud-starter-netflix-ribbon-1.4.0.RELEASE.jarcpe:2.3:a:vmware:spring_cloud_netflix:1.4.0:release:*:*:*:*:*:*pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-ribbon@1.4.0.RELEASEMEDIUM1Highest27
spring-core-4.3.6.RELEASE.jarcpe:2.3:a:pivotal_software:spring_framework:4.3.6:release:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:4.3.6:release:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:4.3.6:release:*:*:*:*:*:*
pkg:maven/org.springframework/spring-core@4.3.6.RELEASECRITICAL15Highest34
spring-data-commons-1.13.11.RELEASE.jarcpe:2.3:a:pivotal_software:spring_data_commons:1.13.11:release:*:*:*:*:*:*pkg:maven/org.springframework.data/spring-data-commons@1.13.11.RELEASEHIGH1Highest30
spring-expression-4.3.6.RELEASE.jarcpe:2.3:a:pivotal_software:spring_framework:4.3.6:release:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:4.3.6:release:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:4.3.6:release:*:*:*:*:*:*
pkg:maven/org.springframework/spring-expression@4.3.6.RELEASECRITICAL16Highest34
spring-security-config-4.2.12.RELEASE.jarcpe:2.3:a:pivotal_software:spring_security:4.2.12:release:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_security:4.2.12:release:*:*:*:*:*:*
pkg:maven/org.springframework.security/spring-security-config@4.2.12.RELEASECRITICAL6Highest43
spring-security-core-4.2.1.RELEASE.jarcpe:2.3:a:pivotal_software:spring_security:4.2.1:release:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_security:4.2.1:release:*:*:*:*:*:*
pkg:maven/org.springframework.security/spring-security-core@4.2.1.RELEASECRITICAL8Highest43
spring-security-web-4.2.12.RELEASE.jarcpe:2.3:a:pivotal_software:spring_security:4.2.12:release:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_security:4.2.12:release:*:*:*:*:*:*
cpe:2.3:a:web_project:web:4.2.12:release:*:*:*:*:*:*
pkg:maven/org.springframework.security/spring-security-web@4.2.12.RELEASECRITICAL6Highest43
spring-web-4.3.6.RELEASE.jarcpe:2.3:a:pivotal_software:spring_framework:4.3.6:release:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:4.3.6:release:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:4.3.6:release:*:*:*:*:*:*
cpe:2.3:a:web_project:web:4.3.6:release:*:*:*:*:*:*
pkg:maven/org.springframework/spring-web@4.3.6.RELEASECRITICAL16Highest32
spring-webmvc-4.3.6.RELEASE.jarcpe:2.3:a:pivotal_software:spring_framework:4.3.6:release:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:4.3.6:release:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:4.3.6:release:*:*:*:*:*:*
cpe:2.3:a:web_project:web:4.3.6:release:*:*:*:*:*:*
pkg:maven/org.springframework/spring-webmvc@4.3.6.RELEASECRITICAL17Highest34
thymeleaf-2.1.5.RELEASE.jarcpe:2.3:a:thymeleaf:thymeleaf:2.1.5:release:*:*:*:*:*:*pkg:maven/org.thymeleaf/thymeleaf@2.1.5.RELEASEHIGH1Highest44
thymeleaf-layout-dialect-1.4.0.jarcpe:2.3:a:thymeleaf:thymeleaf:1.4.0:*:*:*:*:*:*:*pkg:maven/nz.net.ultraq.thymeleaf/thymeleaf-layout-dialect@1.4.0HIGH1Highest33
thymeleaf-spring4-2.1.5.RELEASE.jarcpe:2.3:a:thymeleaf:thymeleaf:2.1.5:release:*:*:*:*:*:*pkg:maven/org.thymeleaf/thymeleaf-spring4@2.1.5.RELEASEHIGH2Highest44
tomcat-embed-core-8.5.85.jarcpe:2.3:a:apache:tomcat:8.5.85:*:*:*:*:*:*:*
cpe:2.3:a:apache_tomcat:apache_tomcat:8.5.85:*:*:*:*:*:*:*
pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.85HIGH7Highest22
tomcat-embed-websocket-8.5.85.jarcpe:2.3:a:apache:tomcat:8.5.85:*:*:*:*:*:*:*
cpe:2.3:a:apache_tomcat:apache_tomcat:8.5.85:*:*:*:*:*:*:*
pkg:maven/org.apache.tomcat.embed/tomcat-embed-websocket@8.5.85HIGH8Highest22
velocity-1.7.jarcpe:2.3:a:apache:velocity_engine:1.7:*:*:*:*:*:*:*pkg:maven/org.apache.velocity/velocity@1.7HIGH1Low76
woodstox-core-asl-4.4.1.jarcpe:2.3:a:fasterxml:woodstox:4.4.1:*:*:*:*:*:*:*pkg:maven/org.codehaus.woodstox/woodstox-core-asl@4.4.1HIGH1Low37
xerces2-xsd11-2.11.1.jarcpe:2.3:a:apache:xerces2_java:2.11.1:*:*:*:*:*:*:*pkg:maven/com.rackspace.apache/xerces2-xsd11@2.11.1HIGH1Low73
xlsx-streamer-2.0.0.jarcpe:2.3:a:excel_streaming_reader_project:excel_streaming_reader:2.0.0:*:*:*:*:*:*:*pkg:maven/com.monitorjbl/xlsx-streamer@2.0.0CRITICAL1Low28
xmlbeans-2.3.0.jarcpe:2.3:a:apache:xmlbeans:2.3.0:*:*:*:*:*:*:*pkg:maven/org.apache.xmlbeans/xmlbeans@2.3.0CRITICAL1Highest81
xmlprojector-1.4.13.jarcpe:2.3:a:xmlbeam:xmlbeam:1.4.13:*:*:*:*:*:*:*pkg:maven/org.xmlbeam/xmlprojector@1.4.13HIGH1Highest21
xstream-1.4.10.jarcpe:2.3:a:xstream_project:xstream:1.4.10:*:*:*:*:*:*:*pkg:maven/com.thoughtworks.xstream/xstream@1.4.10CRITICAL35Highest57

Dependencies

bcpkix-jdk15on-1.55.jar

Description:

The Bouncy Castle Java APIs for CMS, PKCS, EAC, TSP, CMP, CRMF, OCSP, and certificate generation. This jar contains APIs for JDK 1.5 to JDK 1.8. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.

License:

Bouncy Castle Licence: http://www.bouncycastle.org/licence.html
File Path: /home/khannasa/.m2/repository/org/bouncycastle/bcpkix-jdk15on/1.55/bcpkix-jdk15on-1.55.jar
MD5: 9e17685b340a4e22fec6733cf65ed5ac
SHA1: 6392d8cba22b722c6570d660ca0b3921ff1bae4f
SHA256:d7cc06e92f0d117989cc7035f697c69c7c355838b2de3dc35491441afea09ca9
Referenced In Project/Scope: java-sec-code:compile
bcpkix-jdk15on-1.55.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE

Identifiers

Published Vulnerabilities

CVE-2020-26939

In Legion of the Bouncy Castle BC before 1.61 and BC-FJA before 1.0.1.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.
CWE-203 Information Exposure Through Discrepancy

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

bcprov-jdk15on-1.55.jar

Description:

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

License:

Bouncy Castle Licence: http://www.bouncycastle.org/licence.html
File Path: /home/khannasa/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.55/bcprov-jdk15on-1.55.jar
MD5: cbf56e979aba0e551a57953080e115f0
SHA1: 935f2e57a00ec2c489cbd2ad830d4a399708f979
SHA256:c08450a176b55c7ef4847111550eb247e5912ad450c8c225fa2f7cab74ce608b
Referenced In Project/Scope: java-sec-code:compile
bcprov-jdk15on-1.55.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE

Identifiers

Published Vulnerabilities

CVE-2016-1000338

In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.
CWE-347 Improper Verification of Cryptographic Signature

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2016-1000340

In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.
CWE-19 Data Processing Errors

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2016-1000342

In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.
CWE-347 Improper Verification of Cryptographic Signature

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2016-1000343

In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generates a private value assuming a 1024 bit key size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator.
CWE-310 Cryptographic Issues

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-1000180

Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.
CWE-327 Use of a Broken or Risky Cryptographic Algorithm

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2016-1000344

In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.
CWE-310 Cryptographic Issues

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2016-1000352

In the Bouncy Castle JCE Provider version 1.55 and earlier the ECIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.
CWE-310 Cryptographic Issues

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2016-1000341

In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generation is vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55, or earlier, may allow an attacker to gain information about the signature's k value and ultimately the private value as well.
CWE-361 7PK - Time and State

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2016-1000345

In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identify when the decryption is failing due to padding.
CWE-361 7PK - Time and State

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2017-13098

BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as "ROBOT."
CWE-203 Information Exposure Through Discrepancy

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-15522

Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-0187 (OSSINDEX)

In engineSetMode of BaseBlockCipher.java, there is a possible incorrect cryptographic algorithm chosen due to an incomplete comparison. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-148517383
CWE-310 Cryptographic Issues

CVSSv2:
References:

Vulnerable Software & Versions (OSSINDEX):

CVE-2016-1000339

In the Bouncy Castle JCE Provider version 1.55 and earlier the primary engine class used for AES was AESFastEngine. Due to the highly table driven approach used in the algorithm it turns out that if the data channel on the CPU can be monitored the lookup table accesses are sufficient to leak information on the AES key being used. There was also a leak in AESEngine although it was substantially less. AESEngine has been modified to remove any signs of leakage (testing carried out on Intel X86-64) and is now the primary AES class for the BC JCE provider from 1.56. Use of AESFastEngine is now only recommended where otherwise deemed appropriate.
CWE-310 Cryptographic Issues

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-26939

In Legion of the Bouncy Castle BC before 1.61 and BC-FJA before 1.0.1.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.
CWE-203 Information Exposure Through Discrepancy

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-33201 (OSSINDEX)

Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.
CWE-295 Improper Certificate Validation

CVSSv2:
References:

Vulnerable Software & Versions (OSSINDEX):

CVE-2016-1000346

In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in use. As of release 1.56 the key parameters are checked on agreement calculation.
CWE-320 Key Management Errors

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

commons-collections-3.1.jar

Description:

Types that extend and augment the Java Collections Framework.

File Path: /home/khannasa/.m2/repository/commons-collections/commons-collections/3.1/commons-collections-3.1.jar
MD5: d1dcb0fbee884bb855bb327b8190af36
SHA1: 40fb048097caeacdb11dbb33b5755854d89efdeb
SHA256:c1547d185ba6880bcc2da261c5f7533512b6ffdbbc1898db5b793c0cb830fcf0
Referenced In Project/Scope: java-sec-code:compile
commons-collections-3.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0

Identifiers

Published Vulnerabilities

CVE-2015-6420

Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
References:

Vulnerable Software & Versions:

commons-httpclient-3.1.jar

Description:

The HttpClient  component supports the client-side of RFC 1945 (HTTP/1.0)  and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.

License:

Apache License: http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/khannasa/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar
MD5: 8ad8c9229ef2d59ab9f59f7050e846a5
SHA1: 964cd74171f427720480efdec40a7c7f6e58426a
SHA256:dbd4953d013e10e7c1cc3701a3e6ccd8c950c892f08d804fabfac21705930443
Referenced In Project/Scope: java-sec-code:compile
commons-httpclient-3.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0

Identifiers

Published Vulnerabilities

CVE-2012-5783

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
CWE-295 Improper Certificate Validation

CVSSv2:
References:

Vulnerable Software & Versions:

CVE-2020-13956

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
NVD-CWE-noinfo

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

commons-io-2.5.jar

Description:

The Apache Commons IO library contains utility classes, stream implementations, file filters, 
file comparators, endian transformation classes, and much more.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/commons-io/commons-io/2.5/commons-io-2.5.jar
MD5: e2d74794fba570ec2115fb9d5b05dc9b
SHA1: 2852e6e05fbb95076fc091f6d1780f1f8fe35e0f
SHA256:a10418348d234968600ccb1d988efcbbd08716e1d96936ccc1880e7d22513474
Referenced In Project/Scope: java-sec-code:compile
commons-io-2.5.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0

Identifiers

Published Vulnerabilities

CVE-2021-29425

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

commons-jxpath-1.3.jar

Description:

A Java-based implementation of XPath 1.0 that, in addition to XML processing, can inspect/modify Java object graphs (the library's explicit purpose) and even mixed Java/XML structures.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/commons-jxpath/commons-jxpath/1.3/commons-jxpath-1.3.jar
MD5: 61a9aa8ff43ba10853571d57f724bf88
SHA1: c22d7d0f0f40eb7059a23cfa61773a416768b137
SHA256:fcbc0ad917d9d6a73c6df21fac322e00d213ef19cd94815a007c407a8a3ff449
Referenced In Project/Scope: java-sec-code:runtime
commons-jxpath-1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE

Identifiers

Published Vulnerabilities

CVE-2022-41852 (OSSINDEX)

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2022-41852 for details
CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

CVSSv2:
References:

Vulnerable Software & Versions (OSSINDEX):

CVE-2022-40159

** DISPUTED ** This record was originally reported by the oss-fuzz project who failed to consider the security context in which JXPath is intended to be used and failed to contact the JXPath maintainers prior to requesting the CVE allocation. The CVE was then allocated by Google in breach of the CNA rules. After review by the JXPath maintainers, the original report was found to be invalid.
CWE-787 Out-of-bounds Write

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-40160

** DISPUTED ** This record was originally reported by the oss-fuzz project who failed to consider the security context in which JXPath is intended to be used and failed to contact the JXPath maintainers prior to requesting the CVE allocation. The CVE was then allocated by Google in breach of the CNA rules. After review by the JXPath maintainers, the original report was found to be invalid.
CWE-787 Out-of-bounds Write

CVSSv3:
References:

Vulnerable Software & Versions:

commons-net-3.6.jar

Description:

Apache Commons Net library contains a collection of network utilities and protocol implementations.
Supported protocols include: Echo, Finger, FTP, NNTP, NTP, POP3(S), SMTP(S), Telnet, Whois
    

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/commons-net/commons-net/3.6/commons-net-3.6.jar
MD5: b46661b01cc7aeec501f1cd3775509f1
SHA1: b71de00508dcb078d2b24b5fa7e538636de9b3da
SHA256:d3b3866c61a47ba3bf040ab98e60c3010d027da0e7a99e1755e407dd47bc2702
Referenced In Project/Scope: java-sec-code:compile
commons-net-3.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0

Identifiers

Published Vulnerabilities

CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
CWE-20 Improper Input Validation

CVSSv3:
References:

Vulnerable Software & Versions:

dom4j-1.6.1.jar

Description:

dom4j: the flexible XML framework for Java

File Path: /home/khannasa/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar
MD5: 4d8f51d3fe3900efc6e395be48030d6d
SHA1: 5d3ccc056b6f056dbf0dddfdf43894b9065a8f94
SHA256:593552ffea3c5823c6602478b5002a7c525fd904a3c44f1abe4065c22edfac73
Referenced In Project/Scope: java-sec-code:compile
dom4j-1.6.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.poi/poi-ooxml@3.9

Identifiers

Published Vulnerabilities

CVE-2020-10683

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-1000632 (OSSINDEX)

dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.
CWE-91 XML Injection (aka Blind XPath Injection)

CVSSv2:
References:

Vulnerable Software & Versions (OSSINDEX):

CVE-2023-45960

An issue in dom4.j org.dom4.io.SAXReader v.2.1.4 and before allows a remote attacker to obtain sensitive information via the setFeature function. NOTE: the vendor and original reporter indicate that this is not a vulnerability because setFeature only sets features, which "can be safe in one case and unsafe in another."
CWE-91 XML Injection (aka Blind XPath Injection)

CVSSv3:
References:

Vulnerable Software & Versions:

dom4j-2.1.0.jar

Description:

flexible XML framework for Java

License:

BSD 3-clause New License: https://github.com/dom4j/dom4j/blob/master/LICENSE
File Path: /home/khannasa/.m2/repository/org/dom4j/dom4j/2.1.0/dom4j-2.1.0.jar
MD5: dcd0b683599cb29fd0a684d54c38e71d
SHA1: 6ad46940de4d721df3d6bbcd2977149742095445
SHA256:95b11e251e4f0fdcc5d1b3b984d30452260f65d1b382c7aea1448d2b83e8c222
Referenced In Project/Scope: java-sec-code:compile
dom4j-2.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0

Identifiers

Published Vulnerabilities

CVE-2020-10683

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-1000632

dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.
CWE-91 XML Injection (aka Blind XPath Injection)

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-45960

An issue in dom4.j org.dom4.io.SAXReader v.2.1.4 and before allows a remote attacker to obtain sensitive information via the setFeature function. NOTE: the vendor and original reporter indicate that this is not a vulnerability because setFeature only sets features, which "can be safe in one case and unsafe in another."
CWE-91 XML Injection (aka Blind XPath Injection)

CVSSv3:
References:

Vulnerable Software & Versions:

fastjson-1.2.24.jar

Description:

		Fastjson is a JSON processor (JSON parser + JSON generator) written in Java
	

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/com/alibaba/fastjson/1.2.24/fastjson-1.2.24.jar
MD5: 036e7cdd77ba14322ff3a38fc4e1cfbe
SHA1: a2b82688715ee16d874d90229d204daf3efcac8e
SHA256:1b4ebbb73676b7048966f5165a9310fb81c761eeab9eb2e2d361b70ff9450c66
Referenced In Project/Scope: java-sec-code:compile
fastjson-1.2.24.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0

Identifiers

Published Vulnerabilities

CVE-2017-18349

parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.
CWE-20 Improper Input Validation

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-25845

The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode).
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

fluent-hc-4.3.6.jar

Description:

   HttpComponents Client fluent API
  

File Path: /home/khannasa/.m2/repository/org/apache/httpcomponents/fluent-hc/4.3.6/fluent-hc-4.3.6.jar
MD5: 10ddea0d53cc157876ecd6653b3b31f0
SHA1: 57cc6e104beef81737fcbfaf22c3c755e22171d2
SHA256:0d042c4e4a348352fe02f1dff108fd20692f5351f000f8e374abeb3b63054fc8
Referenced In Project/Scope: java-sec-code:compile
fluent-hc-4.3.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0

Identifiers

Published Vulnerabilities

CVE-2020-13956

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
NVD-CWE-noinfo

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

groovy-2.4.7.jar

Description:

Groovy: A powerful, dynamic language for the JVM

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/codehaus/groovy/groovy/2.4.7/groovy-2.4.7.jar
MD5: 527fe0ab66e77d28a9134c213dd7e8a1
SHA1: 10870e6511f544ce45152d0ad08d7514a00c8201
SHA256:3a979e626477cef5dda735fa8f005a20e080104821e63a760be6db2f022b1523
Referenced In Project/Scope: java-sec-code:compile
groovy-2.4.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-thymeleaf@1.5.1.RELEASE

Identifiers

Published Vulnerabilities

CVE-2016-6814

When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-17521

Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.
NVD-CWE-Other

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

gson-2.8.0.jar

File Path: /home/khannasa/.m2/repository/com/google/code/gson/gson/2.8.0/gson-2.8.0.jar
MD5: a42f1f5bfa4e6f123ddcab3de7e0ff81
SHA1: c4ba5371a29ac9b2ad6129b1d39ea38750043eff
SHA256:c6221763bd79c4f1c3dc7f750b5f29a0bb38b367b81314c4f71896e340c40825
Referenced In Project/Scope: java-sec-code:runtime
gson-2.8.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE

Identifiers

Published Vulnerabilities

CVE-2022-25647

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

guava-23.0.jar

Description:

    Guava is a suite of core and expanded libraries that include
    utility classes, google's collections, io classes, and much
    much more.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/com/google/guava/guava/23.0/guava-23.0.jar
MD5: 7d7838b57e04ae0164714c56ac9e20d9
SHA1: c947004bb13d18182be60077ade044099e4f26f1
SHA256:7baa80df284117e5b945b19b98d367a85ea7b7801bd358ff657946c3bd1b6596
Referenced In Project/Scope: java-sec-code:compile
guava-23.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0

Identifiers

Published Vulnerabilities

CVE-2023-2976

Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.

Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

CWE-552 Files or Directories Accessible to External Parties

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-10237

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-8908

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.

CWE-732 Incorrect Permission Assignment for Critical Resource

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

hibernate-validator-5.3.4.Final.jar

Description:

Hibernate's Bean Validation (JSR-303) reference implementation.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/hibernate/hibernate-validator/5.3.4.Final/hibernate-validator-5.3.4.Final.jar
MD5: 540c4f2374a74674f00e2f2691bb2cce
SHA1: 2f6c8c0b646afe18e3ad205726729d3c4a85fe2e
SHA256:b87d88d4faee39fb7aad20715d79b49c07c2b915df05faccb002bfcf0cb1f0e5
Referenced In Project/Scope: java-sec-code:compile
hibernate-validator-5.3.4.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@1.5.1.RELEASE

Identifiers

Published Vulnerabilities

CVE-2020-25638

A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2017-7536

In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().
CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2019-14900

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2019-10219

A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-10693

A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.
CWE-20 Improper Input Validation

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

httpclient-4.5.12.jar

Description:

   Apache HttpComponents Client
  

File Path: /home/khannasa/.m2/repository/org/apache/httpcomponents/httpclient/4.5.12/httpclient-4.5.12.jar
MD5: 72002652711fe0fa3218d2bf20f47409
SHA1: 4023a2a80b64c25926911faf350b50cd2a29220f
SHA256:bc5f065aba5dd815ee559dd24d9bcb797fb102ff9cfa036f5091ebc529bd3b93
Referenced In Project/Scope: java-sec-code:compile
httpclient-4.5.12.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0

Identifiers

Published Vulnerabilities

CVE-2020-13956

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
NVD-CWE-noinfo

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

hutool-all-5.8.10.jar

Description:

Hutool是一个小而全的Java工具类库,通过静态方法封装,降低相关API的学习成本,提高工作效率,使Java拥有函数式语言般的优雅,让Java语言也可以“甜甜的”。

File Path: /home/khannasa/.m2/repository/cn/hutool/hutool-all/5.8.10/hutool-all-5.8.10.jar
MD5: 469eb4cd8ae894d92e8c538152a3de9d
SHA1: 0d6ff30dc7c2389edc8c7e429a1174a7f574eb4f
SHA256:1960ee1120a2c28a125c32c7c2300a1e5223ac2fc5cbbae1040beccf49d881d2
Referenced In Project/Scope: java-sec-code:compile
hutool-all-5.8.10.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0

Identifiers

Published Vulnerabilities

CVE-2022-4565

A vulnerability classified as problematic was found in Dromara HuTool up to 5.8.10. This vulnerability affects unknown code of the file cn.hutool.core.util.ZipUtil.java. The manipulation leads to resource consumption. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 5.8.11 is able to address this issue. It is recommended to upgrade the affected component. VDB-215974 is the identifier assigned to this vulnerability.
CWE-404 Improper Resource Shutdown or Release

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-45688

A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
CWE-787 Out-of-bounds Write

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-45689

hutool-json v5.8.10 was discovered to contain an out of memory error.
CWE-787 Out-of-bounds Write

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-45690

A stack overflow in the org.json.JSONTokener.nextValue::JSONTokener.java component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
CWE-787 Out-of-bounds Write

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-33695

Hutool v5.8.17 and below was discovered to contain an information disclosure vulnerability via the File.createTempFile() function at /core/io/FileUtil.java.
CWE-732 Incorrect Permission Assignment for Critical Resource

CVSSv3:
References:

Vulnerable Software & Versions:

jackson-annotations-2.8.0.jar

Description:

Core annotations used for value types, used by Jackson data binding package.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/com/fasterxml/jackson/core/jackson-annotations/2.8.0/jackson-annotations-2.8.0.jar
MD5: 288e6537849f0c63e76409b515c4fbe4
SHA1: 45b426f7796b741035581a176744d91090e2e6fb
SHA256:e61b7343aceeb6ecda291d4ef133cd3e765f178c631c357ffd081abab7f15db8
Referenced In Project/Scope: java-sec-code:compile
jackson-annotations-2.8.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@1.5.1.RELEASE

Identifiers

Published Vulnerabilities

CVE-2018-1000873

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
CWE-20 Improper Input Validation

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

jackson-core-2.8.6.jar

Description:

Core Jackson abstractions, basic JSON streaming API implementation

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.8.6/jackson-core-2.8.6.jar
MD5: fc62c06dbb91d1c9130c405edaa35a88
SHA1: 2ef7b1cc34de149600f5e75bc2d5bf40de894e60
SHA256:10a8d607dc66aadee9ef24e8b3d83f04b6c0e033926558cc64e408bcbda0ca9f
Referenced In Project/Scope: java-sec-code:compile
jackson-core-2.8.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@1.5.1.RELEASE

Identifiers

Published Vulnerabilities

CVE-2022-45688

A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
CWE-787 Out-of-bounds Write

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-5072

Denial of Service  in JSON-Java versions up to and including 20230618.  A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. 
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-1000873

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
CWE-20 Improper Input Validation

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

jackson-databind-2.8.6.jar

Description:

General data-binding functionality for Jackson: works on core streaming API

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.6/jackson-databind-2.8.6.jar
MD5: b9bcc79b8b3883f627045b2da535e580
SHA1: c43de61f74ecc61322ef8f402837ba65b0aa2bf4
SHA256:922413ca2ff5a8f1f86a2eaae8ff02219322ec6ff00d212e7973df8aac4bbaa3
Referenced In Project/Scope: java-sec-code:compile
jackson-databind-2.8.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@1.5.1.RELEASE

Identifiers

Published Vulnerabilities

CVE-2018-14721

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
CWE-918 Server-Side Request Forgery (SSRF)

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2017-15095

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2017-17485

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2017-7525

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
CWE-184 Incomplete Blacklist

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-11307

An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-14718

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-14719

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-14720

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE'), CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-19360

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-19361

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-19362

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-7489

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
CWE-502 Deserialization of Untrusted Data, CWE-184 Incomplete Blacklist

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2019-14379

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.
CWE-1321

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2019-14540

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2019-14892

A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2019-14893

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2019-16335

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2019-16942

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2019-16943

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2019-17267

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2019-17531

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2019-20330

FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-8840

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-9546

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-9547

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-9548

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-10969

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-5968

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
CWE-502 Deserialization of Untrusted Data, CWE-184 Incomplete Blacklist

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-10650

A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider.
CWE-502 Deserialization of Untrusted Data

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-24616

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-24750

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-35490

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-35491

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-36179

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-36180

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-36181

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-36182

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-36183

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-36184

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-36185

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-36186

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-36187

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-36188

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-36189

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-20190

A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-12022

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-12023

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2019-12086

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2019-14439

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-25649 (OSSINDEX)

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:
References:

Vulnerable Software & Versions (OSSINDEX):

CVE-2020-36518

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
CWE-787 Out-of-bounds Write

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-42003

In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
CWE-502 Deserialization of Untrusted Data

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-42004

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
CWE-502 Deserialization of Untrusted Data

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-1000873

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
CWE-20 Improper Input Validation

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2019-12384

FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2019-12814

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-35116

jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv3:
References:

Vulnerable Software & Versions:

jdom2-2.0.6.jar

Description:

		A complete, Java-based solution for accessing, manipulating, 
		and outputting XML data
	

License:

Similar to Apache License but with the acknowledgment clause removed: https://raw.github.com/hunterhacker/jdom/master/LICENSE.txt
File Path: /home/khannasa/.m2/repository/org/jdom/jdom2/2.0.6/jdom2-2.0.6.jar
MD5: 86a30c9b1ddc08ca155747890db423b7
SHA1: 6f14738ec2e9dd0011e343717fa624a10f8aab64
SHA256:1345f11ba606d15603d6740551a8c21947c0215640770ec67271fe78bea97cf5
Referenced In Project/Scope: java-sec-code:compile
jdom2-2.0.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0

Identifiers

Published Vulnerabilities

CVE-2021-33813

An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

jettison-1.3.7.jar

Description:

A StAX implementation for JSON.

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/khannasa/.m2/repository/org/codehaus/jettison/jettison/1.3.7/jettison-1.3.7.jar
MD5: c1ce879e927ca435da0fd2fd6c8a6b60
SHA1: 7d36a59a0577f11b12088b9e215d6860345b9e1d
SHA256:b39e77d92f5a682c639c8962980499e6be34b5c9fda7ad4dba3b5fd9e99b5070
Referenced In Project/Scope: java-sec-code:runtime
jettison-1.3.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE

Identifiers

Published Vulnerabilities

CVE-2022-40149

Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
CWE-787 Out-of-bounds Write

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-40150

Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.
CWE-674 Uncontrolled Recursion

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-45685

A stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service (DoS) via crafted JSON data.
CWE-787 Out-of-bounds Write

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-45693

Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.
CWE-787 Out-of-bounds Write

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-1436

An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.

CWE-674 Uncontrolled Recursion

CVSSv3:
References:

Vulnerable Software & Versions:

jolokia-core-1.6.0.jar

Description:

jar file containing servlet and helper classes

File Path: /home/khannasa/.m2/repository/org/jolokia/jolokia-core/1.6.0/jolokia-core-1.6.0.jar
MD5: 5f7ce4a39dc7622dbe97b4e285033ff7
SHA1: c0d928201b20202826dd02762fea8ae1dc1634b1
SHA256:a66c9d507a0997f4f9d31d5af5e640bc31099aa8278ac78e94e784797e1db94d
Referenced In Project/Scope: java-sec-code:compile
jolokia-core-1.6.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0

Identifiers

Published Vulnerabilities

CVE-2018-10899

A flaw was found in Jolokia versions from 1.2 to before 1.6.1. Affected versions are vulnerable to a system-wide CSRF. This holds true for properly configured instances with strict checking for origin and referrer headers. This could result in a Remote Code Execution attack.
CWE-352 Cross-Site Request Forgery (CSRF)

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

json-path-2.2.0.jar

Description:

Java port of Stefan Goessner JsonPath.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/com/jayway/jsonpath/json-path/2.2.0/json-path-2.2.0.jar
MD5: 98ec1b51b19c21a32845ba3498df6629
SHA1: 22290d17944bd239fabf5ac69005a60a7ecbbbcb
SHA256:f74833d885773a0a3a937ebdb632ca2ff6d95b52cf7f5725de6dd688844207cd
Referenced In Project/Scope: java-sec-code:compile
json-path-2.2.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0

Identifiers

Published Vulnerabilities

CVE-2022-45688

A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
CWE-787 Out-of-bounds Write

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-5072

Denial of Service  in JSON-Java versions up to and including 20230618.  A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. 
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv3:
References:

Vulnerable Software & Versions:

json-smart-2.2.1.jar

Description:

        JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.
    

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/net/minidev/json-smart/2.2.1/json-smart-2.2.1.jar
MD5: 4c82c537eb0ba92adad494283711cc11
SHA1: 5b9e5df7a62d1279b70dc882b041d249c4f0b002
SHA256:871ff1fca0709fbf924a86704f1c7070e1ee774881c76feb1ba781351efe4693
Referenced In Project/Scope: java-sec-code:compile
json-smart-2.2.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.jayway.jsonpath/json-path@2.2.0

Identifiers

Published Vulnerabilities

CVE-2021-31684 (OSSINDEX)

A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via a crafted web request.
CWE-787 Out-of-bounds Write

CVSSv2:
References:

Vulnerable Software & Versions (OSSINDEX):

CVE-2023-1370 (OSSINDEX)

[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib.

When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively.

It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.

CWE-674 Uncontrolled Recursion

CVSSv2:
References:

Vulnerable Software & Versions (OSSINDEX):

CVE-2021-27568

An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information.
CWE-754 Improper Check for Unusual or Exceptional Conditions

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

jsoup-1.10.2.jar

Description:

jsoup is a Java library for working with real-world HTML. It provides a very convenient API for extracting and manipulating data, using the best of DOM, CSS, and jquery-like methods. jsoup implements the WHATWG HTML5 specification, and parses HTML to the same DOM as modern browsers do.

License:

The MIT License: https://jsoup.org/license
File Path: /home/khannasa/.m2/repository/org/jsoup/jsoup/1.10.2/jsoup-1.10.2.jar
MD5: 36145fee38e79b81035787f1be296a52
SHA1: 33ee82e324f4b1e40167f3dc5e01234a1c5cab61
SHA256:6ebe6abd7775c10a49407ae22db45c840cd2cdaf715866a5b0b5af70941c3f4a
Referenced In Project/Scope: java-sec-code:compile
jsoup-1.10.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0

Identifiers

Published Vulnerabilities

CVE-2021-37714

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.
CWE-248 Uncaught Exception, CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-36033

jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable `SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs - ensure an appropriate [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv3:
References:

Vulnerable Software & Versions:

junit-4.12.jar

Description:

JUnit is a unit testing framework for Java, created by Erich Gamma and Kent Beck.

License:

Eclipse Public License 1.0: http://www.eclipse.org/legal/epl-v10.html
File Path: /home/khannasa/.m2/repository/junit/junit/4.12/junit-4.12.jar
MD5: 5b38c40c97fbd0adee29f91e60405584
SHA1: 2973d150c0dc1fefe998f834810d68f278ea58ec
SHA256:59721f0805e223d84b90677887d9ff567dc534d7c502ca903c0c2b17f05c116a
Referenced In Project/Scope: java-sec-code:compile
junit-4.12.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0

Identifiers

Published Vulnerabilities

CVE-2020-15250

In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.
CWE-732 Incorrect Permission Assignment for Critical Resource

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

log4j-api-2.9.1.jar

Description:

The Apache Log4j API

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/apache/logging/log4j/log4j-api/2.9.1/log4j-api-2.9.1.jar
MD5: 20f0b4e1a16bd2030f0acc2b277cb16f
SHA1: 7a2999229464e7a324aa503c0a52ec0f05efe7bd
SHA256:cad088ba9c43e1a13bba0a3d44bec1ef42bd22fdf12dad2bd73a22666bfbd009
Referenced In Project/Scope: java-sec-code:compile
log4j-api-2.9.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0

Identifiers

Published Vulnerabilities

CVE-2020-9488

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1
CWE-295 Improper Certificate Validation

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

log4j-core-2.9.1.jar

Description:

The Apache Log4j Implementation

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/apache/logging/log4j/log4j-core/2.9.1/log4j-core-2.9.1.jar
MD5: 942f429eacb8015e18d8f59996cfbee6
SHA1: c041978c686866ee8534f538c6220238db3bb6be
SHA256:dc435b35b5923eb05afe30a24f04e9a0a5372da8e76f986efe8508b96101c4ff
Referenced In Project/Scope: java-sec-code:compile
log4j-core-2.9.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0

Identifiers

Published Vulnerabilities

CVE-2021-44228

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion'), CWE-502 Deserialization of Untrusted Data, CWE-20 Improper Input Validation

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-45046

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-44832

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
CWE-20 Improper Input Validation

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-45105

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.
CWE-20 Improper Input Validation, CWE-674 Uncontrolled Recursion

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-9488

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1
CWE-295 Improper Certificate Validation

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

logback-core-1.1.9.jar

Description:

logback-core module

License:

http://www.eclipse.org/legal/epl-v10.html, http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html
File Path: /home/khannasa/.m2/repository/ch/qos/logback/logback-core/1.1.9/logback-core-1.1.9.jar
MD5: 01b122c501f7cd81d9bbefa22d28bc53
SHA1: e05d0cb67220937c32d7b4e5a47f967605376f63
SHA256:19346df199c443f56b4880d386016295d628293643152f5f4ac6287a341ada74
Referenced In Project/Scope: java-sec-code:compile
logback-core-1.1.9.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@1.5.1.RELEASE

Related Dependencies

Identifiers

Published Vulnerabilities

CVE-2017-5929

QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-42550

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

mybatis-3.4.6.jar

Description:

    The MyBatis SQL mapper framework makes it easier to use a relational database with object-oriented
    applications. MyBatis couples objects with stored procedures or SQL statements using a XML descriptor or
    annotations. Simplicity is the biggest advantage of the MyBatis data mapper over object relational mapping
    tools.
  

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/mybatis/mybatis/3.4.6/mybatis-3.4.6.jar
MD5: be0cd2a55a854f3abf2a2461371b9c66
SHA1: a77a546f679533837f6c6a75c034b669f3ce6a2f
SHA256:c3a395969ff96b8f4ba074e8e6e49ef0aad06a11b919764e6bc14dbe3b967ded
Referenced In Project/Scope: java-sec-code:compile
mybatis-3.4.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.mybatis.spring.boot/mybatis-spring-boot-starter@1.3.2

Identifiers

Published Vulnerabilities

CVE-2023-25330

A SQL injection vulnerability in Mybatis plus below 3.5.3.1 allows remote attackers to execute arbitrary SQL commands via the tenant ID valuer.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-26945

MyBatis before 3.5.6 mishandles deserialization of object streams.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

mysql-connector-java-8.0.12.jar

Description:

JDBC Type 4 driver for MySQL

License:

The GNU General Public License, v2 with FOSS exception
File Path: /home/khannasa/.m2/repository/mysql/mysql-connector-java/8.0.12/mysql-connector-java-8.0.12.jar
MD5: 88766727e5e434ceb94315b0dae0e4b4
SHA1: 08e201602cc1ddd145c4c74e67d4002d3d4b1796
SHA256:5b09edb8700512a526eb109c308e9e752d9eb3d915f6b1d33bdbdb9707ed8799
Referenced In Project/Scope: java-sec-code:compile
mysql-connector-java-8.0.12.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0

Identifiers

Published Vulnerabilities

CVE-2018-3258 (OSSINDEX)

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
CWE-284 Improper Access Control

CVSSv3:
References:

Vulnerable Software & Versions (OSSINDEX):

CVE-2023-22102

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J).  Supported versions that are affected are 8.1.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
NVD-CWE-noinfo

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-21363 (OSSINDEX)

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
CWE-310 Cryptographic Issues

CVSSv2:
References:

Vulnerable Software & Versions (OSSINDEX):

CVE-2019-2692

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).
NVD-CWE-noinfo

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-2471 (OSSINDEX)

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H).
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:
References:

Vulnerable Software & Versions (OSSINDEX):

CVE-2020-2934

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.19 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L).
NVD-CWE-noinfo

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-2875

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.14 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N).
NVD-CWE-noinfo

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

netty-codec-4.0.27.Final.jar

Description:

Netty is an asynchronous event-driven network application framework for    rapid development of maintainable high performance protocol servers and    clients.

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/khannasa/.m2/repository/io/netty/netty-codec/4.0.27.Final/netty-codec-4.0.27.Final.jar
MD5: 95596580c1b6e10be356a52ddd022098
SHA1: 08ed3790b480d4370d22ad1b74a79a54663619b3
SHA256:452715cd6024b6a1357d608b41ed24d5a40182e52bb2cebf8c6e8696ddf60198
Referenced In Project/Scope: java-sec-code:runtime
netty-codec-4.0.27.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE

Identifiers

Published Vulnerabilities

CVE-2019-20444

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2019-20445

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2015-2156

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
CWE-20 Improper Input Validation

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2016-4970

handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop).
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2019-16869

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-11612 (OSSINDEX)

 netty-codec - Denial of Service (DoS) via Memory Exhaustion [CVE-2020-11612]

The product allocates memory based on an untrusted size value, but it does not validate or incorrectly validates the size, allowing arbitrary amounts of memory to be allocated.

Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2020-11612 for details
CWE-789 Uncontrolled Memory Allocation

CVSSv2:
References:

Vulnerable Software & Versions (OSSINDEX):

CVE-2021-37136

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-37137

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-41881

Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.
CWE-674 Uncontrolled Recursion

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-44487

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-43797

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-34462

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-21295

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-21409

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-21290

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-24823

Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions, CWE-668 Exposure of Resource to Wrong Sphere

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

netty-handler-4.0.27.Final.jar

Description:

Netty is an asynchronous event-driven network application framework for    rapid development of maintainable high performance protocol servers and    clients.

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/khannasa/.m2/repository/io/netty/netty-handler/4.0.27.Final/netty-handler-4.0.27.Final.jar
MD5: 5fa80364ee1172ef764f1f7bd82f60b7
SHA1: 91d5c8e25150759bdfce680f318e7b3e8a493b1f
SHA256:1ac31cdd3a8f2a8eb6f83c17ce8057a18d15505cd6fdc1bd19fcd30a2afa83a6
Referenced In Project/Scope: java-sec-code:runtime
netty-handler-4.0.27.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE

Identifiers

Published Vulnerabilities

CVE-2019-20444

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2019-20445

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2015-2156

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
CWE-20 Improper Input Validation

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2016-4970

handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop).
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2019-16869

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-37136

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-37137

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-41881

Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.
CWE-674 Uncontrolled Recursion

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-44487

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-43797

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-34462

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-4586 (OSSINDEX)

netty-handler - Improper Certificate Validation

The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.
CWE-300 Channel Accessible by Non-Endpoint ('Man-in-the-Middle')

CVSSv2:
References:

Vulnerable Software & Versions (OSSINDEX):

CVE-2021-21295

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-21409

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-21290

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-24823

Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions, CWE-668 Exposure of Resource to Wrong Sphere

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

netty-transport-4.0.27.Final.jar

Description:

Netty is an asynchronous event-driven network application framework for    rapid development of maintainable high performance protocol servers and    clients.

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/khannasa/.m2/repository/io/netty/netty-transport/4.0.27.Final/netty-transport-4.0.27.Final.jar
MD5: 79b946151ae96948889565acddafe9c7
SHA1: fc1e00d9d2815f74df6af1cf79da65d6b2d6b102
SHA256:afc0e7fa6d998629076e655291612da1882f7226b9d5aa84961c98eb63484d14
Referenced In Project/Scope: java-sec-code:runtime
netty-transport-4.0.27.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE

Related Dependencies

Identifiers

Published Vulnerabilities

CVE-2019-20444

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2019-20445

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2015-2156

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
CWE-20 Improper Input Validation

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2016-4970

handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop).
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2019-16869

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-37136

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-37137

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-41881

Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.
CWE-674 Uncontrolled Recursion

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-44487

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-43797

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-34462

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-21295

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-21409

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-21290

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-24823

Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions, CWE-668 Exposure of Resource to Wrong Sphere

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

ognl-3.0.8.jar

Description:

OGNL - Object Graph Navigation Library

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/ognl/ognl/3.0.8/ognl-3.0.8.jar
MD5: 6f2969f0eb541a6f4ecfa15faa8155d7
SHA1: 37e1aebfde7eb7baebc9ad4f85116ef9009c5fc5
SHA256:97c13090ba9f1b2c34a9548461423e734252dafe0774af55c53d248c736e488c
Referenced In Project/Scope: java-sec-code:compile
ognl-3.0.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-thymeleaf@1.5.1.RELEASE

Identifiers

Published Vulnerabilities

CVE-2016-3093

Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.
CWE-20 Improper Input Validation

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

okhttp-2.5.0.jar

File Path: /home/khannasa/.m2/repository/com/squareup/okhttp/okhttp/2.5.0/okhttp-2.5.0.jar
MD5: eb8bf45f81bf9f17d1fcfb2eca63aaa6
SHA1: 4de2b4ed3445c37ec1720a7d214712e845a24636
SHA256:1cc716e29539adcda677949508162796daffedb4794cbf947a6f65e696f0381c
Referenced In Project/Scope: java-sec-code:compile
okhttp-2.5.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0

Identifiers

Published Vulnerabilities

CVE-2021-0341 (OSSINDEX)

In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171980069
CWE-295 Improper Certificate Validation

CVSSv2:
References:

Vulnerable Software & Versions (OSSINDEX):

CVE-2016-2402

OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate.
CWE-295 Improper Certificate Validation

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-0833

A flaw was found in Red Hat's AMQ-Streams, which ships a version of the OKHttp component with an information disclosure flaw via an exception triggered by a header containing an illegal value. This issue could allow an authenticated attacker to access information outside of their regular permissions.
CWE-209 Information Exposure Through an Error Message

CVSSv3:
References:

Vulnerable Software & Versions:

okio-1.6.0.jar

File Path: /home/khannasa/.m2/repository/com/squareup/okio/okio/1.6.0/okio-1.6.0.jar
MD5: 164d1c28c323cf6e2a917d60374c5718
SHA1: 98476622f10715998eacf9240d6b479f12c66143
SHA256:114bdc1f47338a68bcbc95abf2f5cdc72beeec91812f2fcd7b521c1937876266
Referenced In Project/Scope: java-sec-code:compile
okio-1.6.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.squareup.okhttp/okhttp@2.5.0

Identifiers

Published Vulnerabilities

CVE-2023-3635

GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.

CWE-681 Incorrect Conversion between Numeric Types

CVSSv3:
References:

Vulnerable Software & Versions:

poi-3.10-FINAL.jar

Description:

Apache POI - Java API To Access Microsoft Format Files

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/apache/poi/poi/3.10-FINAL/poi-3.10-FINAL.jar
MD5: 8a8f8d9d6ce0cba8ee9fe1403643cd2e
SHA1: e22fd3bb6a7152bd7d07c7e8901c2451b601725f
SHA256:113d2cbe641bd82b1a990fdf946f416753241a017f89777d92f7136f87e806a5
Referenced In Project/Scope: java-sec-code:compile
poi-3.10-FINAL.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0

Identifiers

Published Vulnerabilities

CVE-2017-12626

Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295).
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2016-5000

The XLSX2CSV example in Apache POI before 3.14 allows remote attackers to read arbitrary files via a crafted OpenXML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2017-5644

Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2019-12415

In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-26336

A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to poi-scratchpad 5.2.1.
CWE-20 Improper Input Validation, CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2014-9527

HSLFSlideShow in Apache POI before 3.11 allows remote attackers to cause a denial of service (infinite loop and deadlock) via a crafted PPT file.
CWE-399 Resource Management Errors

CVSSv2:
References:

Vulnerable Software & Versions:

CVE-2014-3529

The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
NVD-CWE-Other

CVSSv2:
References:

Vulnerable Software & Versions:

CVE-2014-3574

Apache POI before 3.10.1 and 3.11.x before 3.11-beta2 allows remote attackers to cause a denial of service (CPU consumption and crash) via a crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
NVD-CWE-Other

CVSSv2:
References:

Vulnerable Software & Versions:

poi-ooxml-3.9.jar

Description:

Apache POI - Java API To Access Microsoft Format Files

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar
MD5: a03b94af357fdc8b0619986188f292bd
SHA1: bbe83c739d22eecfacd06d7e0b99ba13277040ed
SHA256:70afcf888aee418c52ef3056de9a035eb4163312944370030025bd0be976bd83
Referenced In Project/Scope: java-sec-code:compile
poi-ooxml-3.9.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0

Related Dependencies

Identifiers

Published Vulnerabilities

CVE-2017-12626

Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295).
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2016-5000

The XLSX2CSV example in Apache POI before 3.14 allows remote attackers to read arbitrary files via a crafted OpenXML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2017-5644

Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2019-12415

In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-26336

A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to poi-scratchpad 5.2.1.
CWE-20 Improper Input Validation, CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2014-9527

HSLFSlideShow in Apache POI before 3.11 allows remote attackers to cause a denial of service (infinite loop and deadlock) via a crafted PPT file.
CWE-399 Resource Management Errors

CVSSv2:
References:

Vulnerable Software & Versions:

CVE-2014-3529

The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
NVD-CWE-Other

CVSSv2:
References:

Vulnerable Software & Versions:

CVE-2014-3574

Apache POI before 3.10.1 and 3.11.x before 3.11-beta2 allows remote attackers to cause a denial of service (CPU consumption and crash) via a crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
NVD-CWE-Other

CVSSv2:
References:

Vulnerable Software & Versions:

postgresql-42.3.1.jar

Description:

PostgreSQL JDBC Driver Postgresql

License:

BSD-2-Clause: https://jdbc.postgresql.org/about/license.html
File Path: /home/khannasa/.m2/repository/org/postgresql/postgresql/42.3.1/postgresql-42.3.1.jar
MD5: 30299cd5ee3f86eb748b6cc1157df484
SHA1: 9ca7df660e875b91c78e3d1608d4d7469ad3470c
SHA256:8370570857da86eb4a76dd3d8505d34bac0c18186741fa83a6820a10fa441cb4
Referenced In Project/Scope: java-sec-code:compile
postgresql-42.3.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0

Identifiers

Published Vulnerabilities

CVE-2022-21724

pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.
CWE-665 Improper Initialization

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-26520

In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties
NVD-CWE-noinfo

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-31197

PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user. Patched versions will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds for this issue.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-41946

pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either `PreparedStatement.setText(int, InputStream)` or `PreparedStatemet.setBytea(int, InputStream)` will create a temporary file if the InputStream is larger than 2k. This will create a temporary file which is readable by other users on Unix like systems, but not MacOS. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. Java 1.7 and higher users: this vulnerability is fixed in 4.5.0. Java 1.6 and lower users: no patch is available. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will mitigate this vulnerability.
CWE-668 Exposure of Resource to Wrong Sphere

CVSSv3:
References:

Vulnerable Software & Versions:

protobuf-java-2.6.0.jar

Description:

    Protocol Buffers are a way of encoding structured data in an efficient yet
    extensible format.
  

License:

New BSD license: http://www.opensource.org/licenses/bsd-license.php
File Path: /home/khannasa/.m2/repository/com/google/protobuf/protobuf-java/2.6.0/protobuf-java-2.6.0.jar
MD5: afeba6a0d697cdfd8db8636bd75fc0ee
SHA1: 88ba32feefe385d5dc284b71f649201eabd15778
SHA256:5636b013420f19c0a5342dab6de33956e20a40b06681d2cf021266d6ef478c6e
Referenced In Project/Scope: java-sec-code:compile
protobuf-java-2.6.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/mysql/mysql-connector-java@8.0.12

Identifiers

Published Vulnerabilities

CVE-2022-3171

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
NVD-CWE-noinfo

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-3509 (OSSINDEX)

A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
CWE-20 Improper Input Validation

CVSSv2:
References:

Vulnerable Software & Versions (OSSINDEX):

CVE-2021-22569

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
NVD-CWE-noinfo

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

snakeyaml-1.21.jar

Description:

YAML 1.1 parser and emitter for Java

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/yaml/snakeyaml/1.21/snakeyaml-1.21.jar
MD5: b16142890b39db3ff828085f56845b51
SHA1: 18775fdda48574784f40b47bf478ab0593f92e4d
SHA256:e43cb0683f70804b833dfaa5ac032ff14ba0c758d4a1e9eaeb6640515df83faf
Referenced In Project/Scope: java-sec-code:compile
snakeyaml-1.21.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0

Identifiers

Published Vulnerabilities

CVE-2022-1471

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
CWE-502 Deserialization of Untrusted Data

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2017-18640

The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-25857

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-38749

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
CWE-787 Out-of-bounds Write

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-38751

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
CWE-787 Out-of-bounds Write

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-38752

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.
CWE-787 Out-of-bounds Write

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-41854

Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.
CWE-787 Out-of-bounds Write

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-38750

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
CWE-787 Out-of-bounds Write

CVSSv3:
References:

Vulnerable Software & Versions:

spring-boot-1.5.1.RELEASE.jar

Description:

Spring Boot

File Path: /home/khannasa/.m2/repository/org/springframework/boot/spring-boot/1.5.1.RELEASE/spring-boot-1.5.1.RELEASE.jar
MD5: 32a0a1879b325320685d7093ab0dc4d5
SHA1: 670ebd283098aa2d8a397af84fbe6ea152a4d8fa
SHA256:4a76f4196f22f246c1ace959a3f35e3cf8b8f1ad80aff9db0d9d404aa1e0e26e
Referenced In Project/Scope: java-sec-code:compile
spring-boot-1.5.1.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@1.5.1.RELEASE

Related Dependencies

Identifiers

Published Vulnerabilities

CVE-2017-8046

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.
CWE-20 Improper Input Validation

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-20873

In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed to Cloud Foundry could be susceptible to a security bypass. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.6+. 2.7.x users should upgrade to 2.7.11+. Users of older, unsupported versions should upgrade to 3.0.6+ or 2.7.11+.
NVD-CWE-noinfo

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-27772

spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products and/or versions that are no longer supported by the maintainer
CWE-668 Exposure of Resource to Wrong Sphere

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-20883

In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-1196

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.
CWE-59 Improper Link Resolution Before File Access ('Link Following')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

spring-boot-starter-security-2.1.5.RELEASE.jar

Description:

Starter for using Spring Security

License:

Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0
File Path: /home/khannasa/.m2/repository/org/springframework/boot/spring-boot-starter-security/2.1.5.RELEASE/spring-boot-starter-security-2.1.5.RELEASE.jar
MD5: 52c7d8f07ef625b2e1ac8741329da07b
SHA1: 6c4509c39b8c7347e8226905b40071933ecde5e8
SHA256:e33e85beca1f624d3fa4d3ba986fdf4a623b105f5d091034947d101c1771657e
Referenced In Project/Scope: java-sec-code:compile
spring-boot-starter-security-2.1.5.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0

Identifiers

Published Vulnerabilities

CVE-2023-20873

In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed to Cloud Foundry could be susceptible to a security bypass. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.6+. 2.7.x users should upgrade to 2.7.11+. Users of older, unsupported versions should upgrade to 3.0.6+ or 2.7.11+.
NVD-CWE-noinfo

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-27772

spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products and/or versions that are no longer supported by the maintainer
CWE-668 Exposure of Resource to Wrong Sphere

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-20883

In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
References:

Vulnerable Software & Versions:

spring-boot-starter-thymeleaf-1.5.1.RELEASE.jar

Description:

Starter for building MVC web applications using Thymeleaf views

File Path: /home/khannasa/.m2/repository/org/springframework/boot/spring-boot-starter-thymeleaf/1.5.1.RELEASE/spring-boot-starter-thymeleaf-1.5.1.RELEASE.jar
MD5: dfcd870176f1eff2472ed1927b753e87
SHA1: 073ac6e73f4ec4083ba7adccf58e2319a1bbfffe
SHA256:13e2688435d8c1e88112f0eef1d5ddeefb5e5c7e62eadc42c6a647a53a621bbf
Referenced In Project/Scope: java-sec-code:compile
spring-boot-starter-thymeleaf-1.5.1.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0

Identifiers

Published Vulnerabilities

CVE-2017-8046

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.
CWE-20 Improper Input Validation

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-20873

In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed to Cloud Foundry could be susceptible to a security bypass. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.6+. 2.7.x users should upgrade to 2.7.11+. Users of older, unsupported versions should upgrade to 3.0.6+ or 2.7.11+.
NVD-CWE-noinfo

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-27772

spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products and/or versions that are no longer supported by the maintainer
CWE-668 Exposure of Resource to Wrong Sphere

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-20883

In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-38286

Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-1196

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.
CWE-59 Improper Link Resolution Before File Access ('Link Following')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

spring-boot-starter-web-1.5.1.RELEASE.jar

Description:

Starter for building web, including RESTful, applications using Spring
		MVC. Uses Tomcat as the default embedded container

File Path: /home/khannasa/.m2/repository/org/springframework/boot/spring-boot-starter-web/1.5.1.RELEASE/spring-boot-starter-web-1.5.1.RELEASE.jar
MD5: 1f1c52c46004d5539ad2824018b2044e
SHA1: 8404c45cb53a05edcd0ad8fc57a5fe43462263d8
SHA256:43b492f766a8caea07468f18d1c125b0d6015b793bd25ba16e2d5a56dc06421a
Referenced In Project/Scope: java-sec-code:compile
spring-boot-starter-web-1.5.1.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0

Identifiers

Published Vulnerabilities

CVE-2017-8046

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.
CWE-20 Improper Input Validation

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-4236

Web Sockets do not execute any AuthenticateMethod methods which may be set, leading to a nil pointer dereference if the returned UserData pointer is assumed to be non-nil, or authentication bypass. This issue only affects WebSockets with an AuthenticateMethod hook. Request handlers that do not explicitly use WebSockets are not vulnerable.
CWE-476 NULL Pointer Dereference

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-20873

In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed to Cloud Foundry could be susceptible to a security bypass. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.6+. 2.7.x users should upgrade to 2.7.11+. Users of older, unsupported versions should upgrade to 3.0.6+ or 2.7.11+.
NVD-CWE-noinfo

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-27772

spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products and/or versions that are no longer supported by the maintainer
CWE-668 Exposure of Resource to Wrong Sphere

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-20883

In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-1196

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.
CWE-59 Improper Link Resolution Before File Access ('Link Following')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

spring-cloud-netflix-core-1.2.0.RELEASE.jar

Description:

Spring Cloud Netflix Core

File Path: /home/khannasa/.m2/repository/org/springframework/cloud/spring-cloud-netflix-core/1.2.0.RELEASE/spring-cloud-netflix-core-1.2.0.RELEASE.jar
MD5: 37000cfeb6af38da6b6dfc790cacaefe
SHA1: 726d74fd9b78fdcdef6f4170867c2ae43c428ebd
SHA256:da7aee290e624ec47afcbb9bfc693546a17a6bef9cde3adbf81af7fbc104b7e5
Referenced In Project/Scope: java-sec-code:compile
spring-cloud-netflix-core-1.2.0.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE

Identifiers

Published Vulnerabilities

CVE-2020-5412

Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can send a request to other servers that should not be exposed publicly.
CWE-610 Externally Controlled Reference to a Resource in Another Sphere

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-22113 (OSSINDEX)

Applications using the “Sensitive Headers” functionality in Spring Cloud Netflix Zuul 2.2.6.RELEASE and below may be vulnerable to bypassing the “Sensitive Headers” restriction when executing requests with specially constructed URLs. Applications that use Spring Security's StrictHttpFirewall (enabled by default for all URLs) are not affected by the vulnerability, as they reject requests that allow bypassing.
CWE-863 Incorrect Authorization

CVSSv2:
References:

Vulnerable Software & Versions (OSSINDEX):

spring-cloud-netflix-eureka-client-1.2.0.RELEASE.jar

Description:

Spring Cloud Netflix Eureka Client

File Path: /home/khannasa/.m2/repository/org/springframework/cloud/spring-cloud-netflix-eureka-client/1.2.0.RELEASE/spring-cloud-netflix-eureka-client-1.2.0.RELEASE.jar
MD5: 739a2fdf71e05250ca5febde591d16af
SHA1: bb56ce32fa34d124976bee60d39363dc74e50f07
SHA256:3f2d26ebf5b06a445edfae19325de650d9dec260cbd9646ce6c9c6d27bfd714e
Referenced In Project/Scope: java-sec-code:compile
spring-cloud-netflix-eureka-client-1.2.0.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE

Identifiers

Published Vulnerabilities

CVE-2020-5412

Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can send a request to other servers that should not be exposed publicly.
CWE-610 Externally Controlled Reference to a Resource in Another Sphere

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

spring-cloud-starter-netflix-ribbon-1.4.0.RELEASE.jar

Description:

Spring Cloud Starter Netflix Ribbon

File Path: /home/khannasa/.m2/repository/org/springframework/cloud/spring-cloud-starter-netflix-ribbon/1.4.0.RELEASE/spring-cloud-starter-netflix-ribbon-1.4.0.RELEASE.jar
MD5: e9ba870587d8664f1f76cbcbe3de8719
SHA1: cd8fb40e62f8480a5fad90e355a2cb7b3ed382b3
SHA256:67abbdc0b356ec8ef1a00ce8a3d1574dc1ace48349833068939a2273af6f3f8c
Referenced In Project/Scope: java-sec-code:compile
spring-cloud-starter-netflix-ribbon-1.4.0.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE

Related Dependencies

Identifiers

Published Vulnerabilities

CVE-2020-5412

Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can send a request to other servers that should not be exposed publicly.
CWE-610 Externally Controlled Reference to a Resource in Another Sphere

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

spring-core-4.3.6.RELEASE.jar

Description:

Spring Core

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/springframework/spring-core/4.3.6.RELEASE/spring-core-4.3.6.RELEASE.jar
MD5: bcce5a2acc9b2b8b67b94fdae6f63123
SHA1: 690da099c3c2d2536210f0fd06ff3f336de43ad9
SHA256:c451e8417adb2ffb2445636da5e44a2f59307c4100037a1fe387c3fba4f29b52
Referenced In Project/Scope: java-sec-code:compile
spring-core-4.3.6.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.security/spring-security-web@4.2.12.RELEASE

Related Dependencies

Identifiers

Published Vulnerabilities

CVE-2018-1270

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-1275

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-22965

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-11040

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
CWE-829 Inclusion of Functionality from Untrusted Control Sphere

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-1272

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
NVD-CWE-noinfo

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-15756

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.
NVD-CWE-noinfo

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-1257

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
NVD-CWE-noinfo

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-5421

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
NVD-CWE-noinfo

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-22950

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-20861

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
NVD-CWE-noinfo

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-11039

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
NVD-CWE-noinfo

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-1271

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-1199

Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
CWE-20 Improper Input Validation

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-22968

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
CWE-178 Improper Handling of Case Sensitivity

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-22970

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

spring-data-commons-1.13.11.RELEASE.jar

File Path: /home/khannasa/.m2/repository/org/springframework/data/spring-data-commons/1.13.11.RELEASE/spring-data-commons-1.13.11.RELEASE.jar
MD5: 74a944a79234e4976e2ae3221a1dcbfb
SHA1: 481434bd66c1cf6ff72902a89ad778156e924382
SHA256:11a25c4f1efffc8df5a6e2146263e9f93317361e8d9f642e4873590c8d9fe165
Referenced In Project/Scope: java-sec-code:compile
spring-data-commons-1.13.11.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0

Identifiers

Published Vulnerabilities

CVE-2018-1259

Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

spring-expression-4.3.6.RELEASE.jar

Description:

Spring Expression Language (SpEL)

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/springframework/spring-expression/4.3.6.RELEASE/spring-expression-4.3.6.RELEASE.jar
MD5: a64298e9039c376a20af757575d790a8
SHA1: 013b53568cfd7b308e70efcbac6cdd0c5d597ba1
SHA256:05d4b82232a83014cb55f92b7bdd3c334ada22695f059eb9d74b988d6e1bf5f0
Referenced In Project/Scope: java-sec-code:compile
spring-expression-4.3.6.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.security/spring-security-web@4.2.12.RELEASE

Identifiers

Published Vulnerabilities

CVE-2018-1270

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-1275

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-22965

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-11040

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
CWE-829 Inclusion of Functionality from Untrusted Control Sphere

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-1272

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
NVD-CWE-noinfo

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-15756

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.
NVD-CWE-noinfo

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-1257

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
NVD-CWE-noinfo

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-5421

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
NVD-CWE-noinfo

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-22950

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-20861

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
NVD-CWE-noinfo

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-20863 (OSSINDEX)

In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

CVSSv2:
References:

Vulnerable Software & Versions (OSSINDEX):

CVE-2018-11039

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
NVD-CWE-noinfo

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-1271

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-1199

Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
CWE-20 Improper Input Validation

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-22968

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
CWE-178 Improper Handling of Case Sensitivity

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-22970

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

spring-security-config-4.2.12.RELEASE.jar

Description:

spring-security-config

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/springframework/security/spring-security-config/4.2.12.RELEASE/spring-security-config-4.2.12.RELEASE.jar
MD5: 51e2debb3aab977944731ede0ca9cbb8
SHA1: 19a2d650433e4b71ba32b833e8b6bacfd8bc76a3
SHA256:2bb66116a3e6fcef60e9490f44f1e19888b8033fcfa6701b0eb4d711a613c9c6
Referenced In Project/Scope: java-sec-code:compile
spring-security-config-4.2.12.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0

Identifiers

Published Vulnerabilities

CVE-2022-22978

In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
CWE-863 Incorrect Authorization

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-22112

Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
NVD-CWE-noinfo

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2019-11272

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
CWE-522 Insufficiently Protected Credentials

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-5408

Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
CWE-330 Use of Insufficiently Random Values

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-20862 (OSSINDEX)

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.

Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2023-20862 for details
CWE-459 Incomplete Cleanup

CVSSv2:
References:

Vulnerable Software & Versions (OSSINDEX):

CVE-2022-22976

Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.
CWE-190 Integer Overflow or Wraparound

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

spring-security-core-4.2.1.RELEASE.jar

Description:

spring-security-core

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/springframework/security/spring-security-core/4.2.1.RELEASE/spring-security-core-4.2.1.RELEASE.jar
MD5: fcc2d53ce70be65eabefd2f62791900b
SHA1: 4e8ae0eb3218e1cacc3d7bd2eb41929799340618
SHA256:a2e9e975d24e5f1433021333f9320aef9184bab9023da8a4b2b7405fe630c435
Referenced In Project/Scope: java-sec-code:compile
spring-security-core-4.2.1.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.security/spring-security-web@4.2.12.RELEASE

Related Dependencies

Identifiers

Published Vulnerabilities

CVE-2022-22978

In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
CWE-863 Incorrect Authorization

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-22112

Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
NVD-CWE-noinfo

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2017-4995

An issue was discovered in Pivotal Spring Security 4.2.0.RELEASE through 4.2.2.RELEASE, and Spring Security 5.0.0.M1. When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets." Spring Security configures Jackson with global default typing enabled, which means that (through the previous exploit) arbitrary code could be executed if all of the following is true: (1) Spring Security's Jackson support is being leveraged by invoking SecurityJackson2Modules.getModules(ClassLoader) or SecurityJackson2Modules.enableDefaultTyping(ObjectMapper); (2) Jackson is used to deserialize data that is not trusted (Spring Security does not perform deserialization using Jackson, so this is an explicit choice of the user); and (3) there is an unknown (Jackson is not blacklisting it already) "deserialization gadget" that allows code execution present on the classpath. Jackson provides a blacklisting approach to protecting against this type of attack, but Spring Security should be proactive against blocking unknown "deserialization gadgets" when Spring Security enables default typing.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2019-11272

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
CWE-522 Insufficiently Protected Credentials

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-5408

Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
CWE-330 Use of Insufficiently Random Values

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-1199

Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
CWE-20 Improper Input Validation

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2019-3795

Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.
CWE-330 Use of Insufficiently Random Values

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-22976

Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.
CWE-190 Integer Overflow or Wraparound

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

spring-security-web-4.2.12.RELEASE.jar

Description:

spring-security-web

License:

The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/springframework/security/spring-security-web/4.2.12.RELEASE/spring-security-web-4.2.12.RELEASE.jar
MD5: ffd237d86bd9a3a8dde70d112a27c556
SHA1: 841a10bd80c682549d90f065276f5164519800e5
SHA256:88313c11bc23e9245142ffeaa9f0236eb09e2d58729afdd30355a7445f4f3fb3
Referenced In Project/Scope: java-sec-code:compile
spring-security-web-4.2.12.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0

Identifiers

Published Vulnerabilities

CVE-2022-22978

In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
CWE-863 Incorrect Authorization

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-22112

Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
NVD-CWE-noinfo

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2019-11272

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
CWE-522 Insufficiently Protected Credentials

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-5408

Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
CWE-330 Use of Insufficiently Random Values

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-20862 (OSSINDEX)

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.

Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2023-20862 for details
CWE-459 Incomplete Cleanup

CVSSv2:
References:

Vulnerable Software & Versions (OSSINDEX):

CVE-2022-22976

Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.
CWE-190 Integer Overflow or Wraparound

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

spring-web-4.3.6.RELEASE.jar

Description:

Spring Web

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/springframework/spring-web/4.3.6.RELEASE/spring-web-4.3.6.RELEASE.jar
MD5: aca2094ae74e7a6b5aab587c44b5cff6
SHA1: 8b8bf8fc6ed4acd5ae0baa6179f1cccc52aaa9aa
SHA256:67ecfc4bb2b225723825a80fcdc823f332d4d66634515a153915af1ded227478
Referenced In Project/Scope: java-sec-code:compile
spring-web-4.3.6.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@1.5.1.RELEASE

Identifiers

Published Vulnerabilities

CVE-2016-1000027

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-1270

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-1275

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-22965

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-11040

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
CWE-829 Inclusion of Functionality from Untrusted Control Sphere

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-1272

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
NVD-CWE-noinfo

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-15756

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.
NVD-CWE-noinfo

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-1257

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
NVD-CWE-noinfo

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-5421

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
NVD-CWE-noinfo

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-22950

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-20861

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
NVD-CWE-noinfo

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-11039

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
NVD-CWE-noinfo

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-1271

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-1199

Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
CWE-20 Improper Input Validation

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-22968

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
CWE-178 Improper Handling of Case Sensitivity

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-22970

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

spring-webmvc-4.3.6.RELEASE.jar

Description:

Spring Web MVC

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/springframework/spring-webmvc/4.3.6.RELEASE/spring-webmvc-4.3.6.RELEASE.jar
MD5: 5e2a226fb55ed5d774a720b8839458e1
SHA1: ea55690d6d61ad70e2569db1e1add1603e427862
SHA256:5938eae0e70bb383292bbbeed011e3b613f63a9e3c249b24b5df23e7ca4f2822
Referenced In Project/Scope: java-sec-code:compile
spring-webmvc-4.3.6.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@1.5.1.RELEASE

Identifiers

Published Vulnerabilities

CVE-2018-1270

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-1275

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-22965

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-11040

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
CWE-829 Inclusion of Functionality from Untrusted Control Sphere

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-1272

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
NVD-CWE-noinfo

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-15756

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.
NVD-CWE-noinfo

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-1257

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
NVD-CWE-noinfo

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-5421

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
NVD-CWE-noinfo

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-22950

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-20861

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
NVD-CWE-noinfo

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-11039

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
NVD-CWE-noinfo

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-1271

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2018-1199

Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
CWE-20 Improper Input Validation

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-5397 (OSSINDEX)

Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack.

Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2020-5397 for details
CWE-352 Cross-Site Request Forgery (CSRF)

CVSSv2:
References:

Vulnerable Software & Versions (OSSINDEX):

CVE-2022-22968

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
CWE-178 Improper Handling of Case Sensitivity

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-22970

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
CWE-770 Allocation of Resources Without Limits or Throttling

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-22060 (OSSINDEX)

In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.
CWE-117 Improper Output Neutralization for Logs

CVSSv2:
References:

Vulnerable Software & Versions (OSSINDEX):

thymeleaf-2.1.5.RELEASE.jar

Description:

XML/XHTML/HTML5 template engine for Java

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/thymeleaf/thymeleaf/2.1.5.RELEASE/thymeleaf-2.1.5.RELEASE.jar
MD5: a7e95d2915820f069a220b66ba65232f
SHA1: 513bffa3daaac277460c1a0a2dccb228fa40569e
SHA256:f23eaecff7b6361919416ef6ee06052b6d5a2b7a409047c67a8f4264dd01d2b9
Referenced In Project/Scope: java-sec-code:compile
thymeleaf-2.1.5.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-thymeleaf@1.5.1.RELEASE

Identifiers

Published Vulnerabilities

CVE-2023-38286

Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

CVSSv3:
References:

Vulnerable Software & Versions:

thymeleaf-layout-dialect-1.4.0.jar

Description:

A dialect for Thymeleaf that allows you to use layout/decorator templates to style your content.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/nz/net/ultraq/thymeleaf/thymeleaf-layout-dialect/1.4.0/thymeleaf-layout-dialect-1.4.0.jar
MD5: c7f68cea0796caf11585998f3bbe858f
SHA1: 08d7810c069ed1534b9631fb1e85c35973546086
SHA256:fd844d2e2fe97ca92f66cc8584cd1246f975a728ea95065ada1d82322267a52e
Referenced In Project/Scope: java-sec-code:compile
thymeleaf-layout-dialect-1.4.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-thymeleaf@1.5.1.RELEASE

Identifiers

Published Vulnerabilities

CVE-2023-38286

Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

CVSSv3:
References:

Vulnerable Software & Versions:

thymeleaf-spring4-2.1.5.RELEASE.jar

Description:

XML/XHTML/HTML5 template engine for Java

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/thymeleaf/thymeleaf-spring4/2.1.5.RELEASE/thymeleaf-spring4-2.1.5.RELEASE.jar
MD5: 3fd4f26581a703c6a8a698356d14216a
SHA1: 74cb9028e99597b5d71a98e919fd531a7fc290b4
SHA256:1e5b114ec1cffb6cbd4cc83cb16690d40c58e1175aba41cdf4274155c59ac859
Referenced In Project/Scope: java-sec-code:compile
thymeleaf-spring4-2.1.5.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-thymeleaf@1.5.1.RELEASE

Identifiers

Published Vulnerabilities

CVE-2021-43466 (OSSINDEX)

In the thymeleaf-spring5:3.0.12 component, thymeleaf combined with specific scenarios in template injection may lead to remote code execution.
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:
References:

Vulnerable Software & Versions (OSSINDEX):

CVE-2023-38286

Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

CVSSv3:
References:

Vulnerable Software & Versions:

tomcat-embed-core-8.5.85.jar

Description:

Core Tomcat implementation

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.85/tomcat-embed-core-8.5.85.jar
MD5: 1f0d439166806481c3c5af923fd972ec
SHA1: 5dc09ff658c7387f0a6724515e6b6fbd56965f5f
SHA256:7c350a8ad6b07d158e3bdc468e9ba18eaca27f90ec7e16ac9f33bcf869ea2e51
Referenced In Project/Scope: java-sec-code:compile
tomcat-embed-core-8.5.85.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@1.5.1.RELEASE

Identifiers

Published Vulnerabilities

CVE-2023-28709

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP       connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was       submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.




CWE-193 Off-by-one Error

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-42794

Incomplete Cleanup vulnerability in Apache Tomcat.

The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, 
in progress refactoring that exposed a potential denial of service on 
Windows if a web application opened a stream for an uploaded file but 
failed to close the stream. The file would never be deleted from disk 
creating the possibility of an eventual denial of service due to the 
disk being full.

Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.

CWE-459 Incomplete Cleanup

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-44487

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-41080

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92.

The vulnerability is limited to the ROOT (default) web application.
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-42795

Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could 
cause Tomcat to skip some parts of the recycling process leading to 
information leaking from the current request/response to the next.

Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.

CWE-459 Incomplete Cleanup

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-45648

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially 
crafted, invalid trailer header could cause Tomcat to treat a single 
request as multiple requests leading to the possibility of request 
smuggling when behind a reverse proxy.

Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.

CWE-20 Improper Input Validation

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-28708

When using the RemoteIpFilter with requests received from a    reverse proxy via HTTP that include the X-Forwarded-Proto    header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.







CWE-523 Unprotected Transport of Credentials

CVSSv3:
References:

Vulnerable Software & Versions:

tomcat-embed-websocket-8.5.85.jar

Description:

Core Tomcat implementation

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/apache/tomcat/embed/tomcat-embed-websocket/8.5.85/tomcat-embed-websocket-8.5.85.jar
MD5: 17d0be26a0fe25e4c526463dabe72d99
SHA1: 96e4e7d3eb20dc8712dc5ed8dcaba749ee8b9d3e
SHA256:e654eb8fcfad5a0f9f323b26f14b886edc4af34a5f275d7eec3b83396129edc1
Referenced In Project/Scope: java-sec-code:compile
tomcat-embed-websocket-8.5.85.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@1.5.1.RELEASE

Identifiers

Published Vulnerabilities

CVE-2020-8022

A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8 allows local attackers to escalate from group tomcat to root. This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP4 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 12-SP5 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 15-LTSS tomcat versions prior to 9.0.35-3.57.3. SUSE Linux Enterprise Server for SAP 12-SP2 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 12-SP3 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 15 tomcat versions prior to 9.0.35-3.57.3. SUSE OpenStack Cloud 7 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud 8 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud Crowbar 8 tomcat versions prior to 8.0.53-29.32.1.
CWE-276 Incorrect Default Permissions

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-28709

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP       connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was       submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.




CWE-193 Off-by-one Error

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-42794

Incomplete Cleanup vulnerability in Apache Tomcat.

The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, 
in progress refactoring that exposed a potential denial of service on 
Windows if a web application opened a stream for an uploaded file but 
failed to close the stream. The file would never be deleted from disk 
creating the possibility of an eventual denial of service due to the 
disk being full.

Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.

CWE-459 Incomplete Cleanup

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-44487

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-41080

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92.

The vulnerability is limited to the ROOT (default) web application.
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-42795

Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could 
cause Tomcat to skip some parts of the recycling process leading to 
information leaking from the current request/response to the next.

Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.

CWE-459 Incomplete Cleanup

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-45648

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially 
crafted, invalid trailer header could cause Tomcat to treat a single 
request as multiple requests leading to the possibility of request 
smuggling when behind a reverse proxy.

Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.

CWE-20 Improper Input Validation

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2023-28708

When using the RemoteIpFilter with requests received from a    reverse proxy via HTTP that include the X-Forwarded-Proto    header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.







CWE-523 Unprotected Transport of Credentials

CVSSv3:
References:

Vulnerable Software & Versions:

velocity-1.7.jar

Description:

Apache Velocity is a general purpose template engine.

File Path: /home/khannasa/.m2/repository/org/apache/velocity/velocity/1.7/velocity-1.7.jar
MD5: 3692dd72f8367cb35fb6280dc2916725
SHA1: 2ceb567b8f3f21118ecdec129fe1271dbc09aa7a
SHA256:ec92dae810034f4b46dbb16ef4364a4013b0efb24a8c5dd67435cae46a290d8e
Referenced In Project/Scope: java-sec-code:compile
velocity-1.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0

Identifiers

Published Vulnerabilities

CVE-2020-13936

An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.
NVD-CWE-noinfo

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

woodstox-core-asl-4.4.1.jar

Description:

Woodstox is a high-performance XML processor that
implements Stax (JSR-173) and SAX2 APIs

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/codehaus/woodstox/woodstox-core-asl/4.4.1/woodstox-core-asl-4.4.1.jar
MD5: 1f53f91f117288fb2ef2e120f27e5498
SHA1: 84fee5eb1a4a1cefe65b6883c73b3fa83be3c1a1
SHA256:274fa403ed08c0d6f2f574dc1916adaaaec9a493e56d6442f8797ede620bca65
Referenced In Project/Scope: java-sec-code:runtime
woodstox-core-asl-4.4.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE

Identifiers

Published Vulnerabilities

CVE-2022-40152

Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
CWE-787 Out-of-bounds Write

CVSSv3:
References:

Vulnerable Software & Versions:

xerces2-xsd11-2.11.1.jar

Description:

A processor for parsing, validating, serializing and manipulating XML, written in Java

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/khannasa/.m2/repository/com/rackspace/apache/xerces2-xsd11/2.11.1/xerces2-xsd11-2.11.1.jar
MD5: 309f809155fc5c4adaf29622c9ffee05
SHA1: a177954cbe5f1dcf1cc04d2dd0e75deebb902f89
SHA256:505e797d1140876ec848d729715a2c409b7fa00a8d538ab9b5a393ff5f9bd9ea
Referenced In Project/Scope: java-sec-code:compile
xerces2-xsd11-2.11.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.monitorjbl/xlsx-streamer@2.0.0

Identifiers

Published Vulnerabilities

CVE-2013-4002

XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.
NVD-CWE-noinfo

CVSSv2:
References:

Vulnerable Software & Versions:

xlsx-streamer-2.0.0.jar

Description:

Streaming Excel reader

License:

Apache 2.0: https://raw.githubusercontent.com/monitorjbl/excel-streaming-reader/master/LICENSE
File Path: /home/khannasa/.m2/repository/com/monitorjbl/xlsx-streamer/2.0.0/xlsx-streamer-2.0.0.jar
MD5: 0a4218280443fb635e9a7dbbb7fd31fd
SHA1: 5f879eed9795c4ffe361337b9ae3c4f5f20197da
SHA256:21e2f83a355991a184f8ddcb706e4fc1d93a0e2cf4a572f040caa01562546bfb
Referenced In Project/Scope: java-sec-code:compile
xlsx-streamer-2.0.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0

Identifiers

Published Vulnerabilities

CVE-2022-23640

Excel-Streaming-Reader is an easy-to-use implementation of a streaming Excel reader using Apache POI. Prior to xlsx-streamer 2.1.0, the XML parser that was used did apply all the necessary settings to prevent XML Entity Expansion issues. Upgrade to version 2.1.0 to receive a patch. There is no known workaround.
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

xmlbeans-2.3.0.jar

Description:

XmlBeans main jar

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/apache/xmlbeans/xmlbeans/2.3.0/xmlbeans-2.3.0.jar
MD5: 64b05e7adad68fa65d02a8b6daa64afb
SHA1: 8704dcf5c9f10265a08f5020b0fab70eb64ac3c4
SHA256:c63808344ea50d9741b266362996557bac8587cdc4f3faf13bbec95296d353e3
Referenced In Project/Scope: java-sec-code:compile
xmlbeans-2.3.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.poi/poi-ooxml@3.9

Identifiers

Published Vulnerabilities

CVE-2021-23926

The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

xmlprojector-1.4.13.jar

Description:

The coolest XML library for Java around. Define typesafe views (projections) to xml. Use XPath to read and write XML. Bind XML to Java collections. Requires at least Java6, supports Java8 features and has no further runtime dependencies.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/xmlbeam/xmlprojector/1.4.13/xmlprojector-1.4.13.jar
MD5: 55c1c4b360d1b8a80fca35dcb807fd4b
SHA1: a6493527e7f029f133ad587621228593d304c2ea
SHA256:2c7d2361fb8ccc9fef60a2ff87d3e4f7c0191e5bbdf3e3119b83a4570c3b290d
Referenced In Project/Scope: java-sec-code:compile
xmlprojector-1.4.13.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0

Identifiers

Published Vulnerabilities

CVE-2018-1259

Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

xstream-1.4.10.jar

Description:

XStream is a serialization library from Java objects to XML and back.

License:

http://x-stream.github.io/license.html
File Path: /home/khannasa/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar
MD5: d00eec778910f95b26201395ac64cca0
SHA1: dfecae23647abc9d9fd0416629a4213a3882b101
SHA256:a1587f35fa617513607c86ec9e6e4de5eb8acdf9a3a6d7f7458f8a8c40b00858
Referenced In Project/Scope: java-sec-code:compile
xstream-1.4.10.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0

Identifiers

Published Vulnerabilities

CVE-2021-21345

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2013-7285

Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2019-10173

It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-21344

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-21346

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-21347

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-21350

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-21342

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CWE-502 Deserialization of Untrusted Data, CWE-918 Server-Side Request Forgery (SSRF)

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-21351

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-26217

XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-29505

XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.
CWE-502 Deserialization of Untrusted Data, CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-39139

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-21349

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CWE-502 Deserialization of Untrusted Data, CWE-918 Server-Side Request Forgery (SSRF)

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-39141

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-39144

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-502 Deserialization of Untrusted Data, CWE-306 Missing Authentication for Critical Function

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-39145

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-39146

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-39147

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-39148

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-39149

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-39150

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.
CWE-502 Deserialization of Untrusted Data, CWE-918 Server-Side Request Forgery (SSRF)

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-39151

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-39152

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.
CWE-502 Deserialization of Untrusted Data, CWE-918 Server-Side Request Forgery (SSRF)

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-39153

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-39154

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-26258

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.
CWE-918 Server-Side Request Forgery (SSRF)

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-21341

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion'), CWE-502 Deserialization of Untrusted Data

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-21343

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CWE-502 Deserialization of Untrusted Data, CWE-73 External Control of File Name or Path

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-21348

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-43859

XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not possible.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-40151

Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
CWE-787 Out-of-bounds Write

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-40152

Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
CWE-787 Out-of-bounds Write

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2022-41966

XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. However, this implies that your application does not care about the implementation of the map and all elements are comparable.
CWE-674 Uncontrolled Recursion

CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2020-26259

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:

CVE-2021-39140

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-502 Deserialization of Untrusted Data, CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv2:CVSSv3:
References:

Vulnerable Software & Versions:



This report contains data retrieved from the National Vulnerability Database.
This report may contain data retrieved from the CISA Known Exploited Vulnerability Catalog.
This report may contain data retrieved from the NPM Public Advisories.
This report may contain data retrieved from RetireJS.
This report may contain data retrieved from the Sonatype OSS Index.